[Bro] Bro-ids dpd offline analysis

Robin Sommer robin at icir.org
Wed Dec 6 09:38:47 PST 2006


On Wed, Dec 06, 2006 at 16:47 +0800, CS Lee wrote:

> I'm wondering are there any examples showing how to use bro with all the
> argument options, I found it kinda confusing especially for people who new

Sorry, the shipped documentation is all we have in this regard at
this time. Yeah, having some more examples would certainly by nice.

> I tried to load all this to mt.bro, and running -
> 
> bro -r test.pcap mt

That's almost correct except for one missing piece: for DPD you need
to set the capture-filter to include packets on non-standard ports,
e.g., "bro -f tcp -r test.pcap mt" to include all TCP packets. (This
is not different from live analysis which requires this too.)

Robin

-- 
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org 
LBNL/ICSI    * Fax   +1 (510) 666-2956 *   www.icir.org



More information about the Bro mailing list